Re: [exim] Solved: Encrypted SSL Postgres Connection

Top Pagina
Delete this message
Reply to this message
Auteur: Jasen Betts
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Solved: Encrypted SSL Postgres Connection
On 2021-09-16, Pat via Exim-users <exim-users@???> wrote:

> That failed with:
> Failed: lookup of "select generate_series(1,10) " gave DEFER: PGSQL connection failed: root certificate file "root.crt" does not exist
> Either provide the file or change sslmode to disable server certificate verification.
>
> I was a little stumped at that point. I was testing from
> /usr/local/etc/exim, and the certificate was indeed present. I tried a
> few different things to the DB_NAME value, such as quoting the redefined
> contents, wrapping some and then all in parenthesis, doing both, etc. but
> nothing changed the output. Then I ran /usr/local/sbin/exim -d +all -be
> '${lookup pgsql{ select generate_series(1,10) }}' which didn't really
> give me anything. However in looking over the output I noticed several
> references to /var/spool/exim, such as:
> lock name: /var/spool/exim/eximuser.lock.
>
> So I moved the two certificates and the key file to /var/spool/exim. Bingo!


This is interesting. it will be hard (impossible) to use slashes in
the database parameters, so yes, you will need to put the key file (or
a symlink that points to it) in the spool directory.

This explains why the bug report is also asking for the option to use
URL style connection strings. that would allow slashes.

> I am assuming at this point that the DB_PW portion is noise that the
> PG cluster ignores (or at least doesn't parse) because it is set to
> an invalid value but I see no sign of it in the PG log. In fact the
> thepguser role has no password in the cluster.


Exim passes it to libpq. what libpq does with the parameters it gets
from exim is up to the postgresql developers.


--
Jasen.